CVE-2024-46906 – A SQL injection vulnerability in WhatsUp Gold a... (How to Fix)

Q: What is the severity of CVE-2024-46906?

CVE-2024-46906 has a CVSS score of 8.8 (HIGH). A SQL injection vulnerability in WhatsUp Gold allows authenticated users with at least Report Viewer permissions to escalate privileges to admin accounts. This affects WhatsUp Gold versions before 2024.0.1, potentially compromising the entire monitoring system.

📋 TL;DR

A SQL injection vulnerability in WhatsUp Gold allows authenticated users with at least Report Viewer permissions to escalate privileges to admin accounts. This affects WhatsUp Gold versions before 2024.0.1, potentially compromising the entire monitoring system.

💻 Affected Systems

Products:

WhatsUp Gold

Versions: All versions before 2024.0.1

Operating Systems: Windows (primary platform)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires at least Report Viewer permissions; default installations with default user roles are vulnerable.

📦 What is this software?

Whatsup Gold by Progress

View all CVEs affecting Whatsup Gold →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover where an attacker gains full administrative control, can modify configurations, access sensitive data, and potentially pivot to other systems.

🟠

Likely Case

Privilege escalation leading to unauthorized administrative access, allowing attackers to view/modify network monitoring data and system settings.

🟢

If Mitigated

Limited impact if proper input validation and least privilege principles are enforced, though SQL injection attempts may still be logged.

🌐 Internet-Facing: MEDIUM - While authentication is required, internet-facing instances could be targeted by attackers who obtain or guess valid credentials.

🏢 Internal Only: HIGH - Internal users with Report Viewer access could exploit this to gain administrative privileges and compromise the monitoring infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access with Report Viewer or higher permissions; SQL injection knowledge needed for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.0.1 or later

Vendor Advisory: https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024

Restart Required: No

Instructions:

1. Download WhatsUp Gold 2024.0.1 or later from Progress website. 2. Backup current configuration and database. 3. Run the installer to upgrade. 4. Verify installation completes successfully.

🔧 Temporary Workarounds

Restrict Report Viewer Access

all

Limit Report Viewer permissions to only trusted users who absolutely need this access level.

Network Segmentation

all

Isolate WhatsUp Gold server from general network access and restrict connections to authorized management systems only.

🧯 If You Can't Patch

Implement strict input validation and parameterized queries at application level if source code access is available.
Deploy web application firewall (WAF) with SQL injection protection rules and monitor for exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check WhatsUp Gold version in Administration > About. If version is below 2024.0.1, system is vulnerable.

Check Version:

Check via WhatsUp Gold web interface: Administration > About, or examine installation directory version files.

Verify Fix Applied:

Verify version is 2024.0.1 or higher in Administration > About, then test that SQL injection attempts are properly blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by successful Report Viewer login
User privilege changes from Report Viewer to Administrator

Network Indicators:

SQL injection patterns in HTTP requests to WhatsUp Gold web interface
Unusual database connections from application server

SIEM Query:

source="whatsup_gold_logs" AND (event_type="privilege_escalation" OR sql_query="*UNION*" OR sql_query="*SELECT*FROM*users*")

📊 Metadata

CVE ID: CVE-2024-46906

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 2, 2024

Last Updated: December 6, 2024

🔗 References

https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024 Vendor Advisory
https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html Release Notes
https://www.progress.com/network-monitoring Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46906, you might also want to check these: